chore(deps): bump hono from 4.12.4 to 4.12.16#93
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps [hono](https://github.com/honojs/hono) from 4.12.4 to 4.12.16. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.4...v4.12.16) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.16 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
|
|
||
| '@ungap/structured-clone@1.3.0': | ||
| resolution: {integrity: sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==} | ||
| deprecated: Potential CWE-502 - Update to 1.3.1 or higher |
There was a problem hiding this comment.
The lockfile regeneration surfaces @ungap/structured-clone@1.3.0 as deprecated with a Potential CWE-502 notice. CWE-502 (Deserialization of Untrusted Data) can allow remote code execution if attacker-controlled data passes through the structuredClone polyfill. While this is a transitive dependency and not directly introduced by this PR, it is now explicitly flagged. A follow-up PR should identify which package pulls it in and upgrade to @ungap/structured-clone@1.3.1 or higher to clear the advisory.
Prompt To Fix With AI
This is a comment left during a code review.
Path: pnpm-lock.yaml
Line: 3152
Comment:
**Deprecated transitive dependency with deserialization vulnerability**
The lockfile regeneration surfaces `@ungap/structured-clone@1.3.0` as deprecated with a `Potential CWE-502` notice. CWE-502 (Deserialization of Untrusted Data) can allow remote code execution if attacker-controlled data passes through the `structuredClone` polyfill. While this is a transitive dependency and not directly introduced by this PR, it is now explicitly flagged. A follow-up PR should identify which package pulls it in and upgrade to `@ungap/structured-clone@1.3.1` or higher to clear the advisory.
How can I resolve this? If you propose a fix, please make it concise.
Contributor
Author
|
Superseded by #98. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps hono from 4.12.4 to 4.12.16.
Release notes
Sourced from hono's releases.
... (truncated)
Commits
90d41824.12.16db05b96Merge commit from fork614b834Merge commit from fork027e3dffix(method-override): handle Content-Type with charset parameter (#4894)f774f8d4.12.1518fe604fix(jwt): support single-line PEM keys (#4889)cf2d2b74.12.1466daa2eMerge commit from forkfa2c74ffix(aws-lambda): handle invalid header names in request processing (#4883)37799274.12.13Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Greptile Summary
This PR bumps
honofrom 4.12.4 to 4.12.16 across two package manifests and regenerates the lockfile. The upgrade resolves three security advisories (HTML injection via unvalidated JSX tag names GHSA-69xw-7hcm-h432,bodyLimit()bypass for chunked requests GHSA-9vqf-7f2p-gf9v, and JSX attribute name injection GHSA-458j-xx4x-4375).apps/examples/hono-example/package.jsonandpackages/hono/package.jsonmove from4.12.4to4.12.16; the lockfile is updated accordingly with the new resolution integrity hash.@ungap/structured-clone@1.3.0(CWE-502),uuid@8.3.2, andglob@10.4.5, and bumps several indirect dependencies (graphql,tough-cookie,tldts,type-fest,turbo).Confidence Score: 5/5
Safe to merge — the change is a pure security patch bump with no API-breaking changes within the 4.12.x line.
The hono upgrade is patch-range only (4.12.4 → 4.12.16) and resolves three disclosed security advisories. The lockfile collateral changes (graphql, tough-cookie, tldts, turbo) are all minor/patch bumps without breaking changes. The @ungap/structured-clone CWE-502 notice is a pre-existing transitive dependency issue surfaced by the lockfile regeneration, not a regression introduced here.
No files require special attention; the lockfile's newly surfaced @ungap/structured-clone@1.3.0 deprecation is worth a follow-up in a separate PR.
Security Review
hono/jsx): Missing validation of JSX tag names injsx()/createElement()allowed HTML injection — fixed in this update.bodyLimitmiddleware): Chunked / unknown-length requests could bypass the body size limit and reach handlers — fixed in this update.hono/jsxSSR): Missing validation of JSX attribute names during SSR could corrupt generated HTML and inject attributes/elements — fixed in this update.@ungap/structured-clone@1.3.0): Deserialization vulnerability surfaced as a deprecated notice in the regenerated lockfile; not introduced by this PR but warrants a follow-up upgrade to ≥1.3.1.Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[hono 4.12.4] -->|bump| B[hono 4.12.16] B --> C[Security Fix: GHSA-69xw-7hcm-h432\nJSX tag name injection] B --> D[Security Fix: GHSA-9vqf-7f2p-gf9v\nbodyLimit bypass for chunked requests] B --> E[Security Fix: GHSA-458j-xx4x-4375\nJSX attribute name injection] B --> F[Other fixes: JWT single-line PEM,\nmethod-override charset, type improvements] G[pnpm-lock.yaml regeneration] --> H[Indirect dep bumps:\ngraphql, tough-cookie, tldts,\ntype-fest, turbo] G --> I[Deprecated packages surfaced:\n@ungap/structured-clone 1.3.0 CWE-502\nuuid@8.3.2\nglob@10.4.5]Prompt To Fix All With AI
Reviews (1): Last reviewed commit: "chore(deps): bump hono from 4.12.4 to 4...." | Re-trigger Greptile